	US 11,777,902 B2
	Application layer signaling security with next generation firewall
Sachin Verma, Danville, CA (US); and Leonid Burakovsky, Pleasanton, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Feb. 9, 2022, as Appl. No. 17/668,336.
Application 17/668,336 is a continuation of application No. 16/868,411, filed on May 6, 2020, granted, now 11,283,765.
Application 16/868,411 is a continuation of application No. 15/895,944, filed on Feb. 13, 2018, granted, now 10,701,032, issued on Jun. 30, 2020.
Prior Publication US 2022/0272069 A1, Aug. 25, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); G06F 21/00 (2013.01); H04L 9/40 (2022.01); H04W 12/08 (2021.01)

CPC H04L 63/0236 (2013.01) [H04L 63/0209 (2013.01); H04L 63/1441 (2013.01); H04L 63/168 (2013.01); H04L 63/20 (2013.01); H04W 12/08 (2013.01)]

24 Claims

1. A system, comprising:

a processor configured to:

monitor application layer signaling traffic on a service provider network at a security platform;

filter the application layer signaling traffic at the security platform based on a security policy, wherein an application layer signaling protocol is a Mobile Application Part (MAP) protocol, a CAMEL Application Part (CAP) protocol, or an Intelligent Network Application Part (INAP), and wherein the security platform is configured with a plurality of security policies based on an application layer signaling protocol to perform security policy enforcement based on the MAP, CAP, or INAP protocol; and

perform state and packet validation of an underlying Stream Control Transport Protocol (SCTP) while filtering MAP, CAP, or INAP protocol messages per subsystem number (SSN) or source/destination IP addresses; and

a memory coupled to the processor and configured to provide the processor with instructions.